b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      Increased Oversight of Information\n                     Technology Hardware Maintenance\n                   Contracts Is Necessary to Ensure Against\n                       Paying for Unnecessary Services\n\n\n\n                                      September 24, 2013\n\n                              Reference Number: 2013-22-094\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                               HIGHLIGHTS\n\n\nINCREASED OVERSIGHT OF                             when necessary to update an existing contract.\nINFORMATION TECHNOLOGY                             As a result of the lack of coordination and\nHARDWARE MAINTENANCE                               oversight, the IRS paid for services it did not\nCONTRACTS IS NECESSARY TO                          receive or need.\nENSURE AGAINST PAYING FOR                          Further, TIGTA found incomplete or inaccurate\nUNNECESSARY SERVICES                               asset data in three of the seven information\n                                                   technology hardware maintenance contracts\n                                                   reviewed. A current TIGTA review provided the\nHighlights                                         IRS with several recommendations for improving\n                                                   internal controls and overall reliability of the\nFinal Report issued on                             data.\nSeptember 24, 2013                                 WHAT TIGTA RECOMMENDED\nHighlights of Reference Number: 2013-22-094        TIGTA recommended that the Chief Technology\nto the Internal Revenue Service Chief              Officer ensure that Contracting Officer\xe2\x80\x99s\nTechnology Officer.                                Representatives provide Contracting Officers\n                                                   notification to timely process a contract\nIMPACT ON TAXPAYERS                                modification when information technology assets\nCoordination among acquisition team members        are retired or removed from service or changes\nis a key to ensuring that the contractor is        to performance requirements are made.\nmeeting the Government\xe2\x80\x99s interest in terms of      Additionally, Contracting Officer\xe2\x80\x99s\nproviding deliverables that are of high quality,   Representatives should make any necessary\ncomplete, timely, and cost effective. However,     adjustments with respect to receipt and\nthe IRS\xe2\x80\x99s administration of selected information   acceptance. In addition, the Chief Technology\ntechnology hardware maintenance contracts          Officer should ensure that Contracting Officer\xe2\x80\x99s\ncould be enhanced. The IRS cannot ensure that      Representatives work closely with Technical\ntaxpayer dollars are not being misspent to         Points of Contact to periodically reconcile assets\nservice information technology hardware assets     associated with hardware maintenance\nthat are no longer in use.                         contracts and provide necessary updates to\n                                                   User and Network Services Asset Management\nWHY TIGTA DID THE AUDIT                            personnel.\nThis audit is included in TIGTA\xe2\x80\x99s Fiscal           In its response to the report, the IRS agreed with\nYear 2013 Annual Audit Plan and addresses the      TIGTA\xe2\x80\x99s recommendations. The IRS plans to\nmajor management challenge of Achieving            communicate and emphasize expectations with\nProgram Efficiencies and Costs Savings. The        Information Technology organizations so that\noverall objective was to determine whether the     managers can take appropriate action to ensure\nIRS has adequate controls over its hardware        that hardware maintenance contracts are\nmaintenance contracts and is actively mitigating   administered, acquisition duties are performed,\ncontract fraud risks.                              and acquisition staff effectively coordinate in\n                                                   reconciling and providing updates about assets\nWHAT TIGTA FOUND                                   associated with hardware maintenance\nTIGTA found several weaknesses in the              contracts, all in accordance with existing IRS\noversight of selected information technology       policy.\nhardware maintenance contracts. Specifically,\nTIGTA found instances where contracting\npersonnel were not always effectively monitoring\nthe contracts. TIGTA also found an instance\nwhere the IRS did not receive contract\ndeliverables in accordance with the contract\xe2\x80\x99s\nrequirements or submit written modifications\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 24, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Increased Oversight of Information Technology\n                             Hardware Maintenance Contracts Is Necessary to Ensure Against\n                             Paying for Unnecessary Services (Audit # 201220224)\n\n This report presents the results of our review of Information Technology Hardware Maintenance\n Contracts. The overall objective of this review was to determine whether the Internal Revenue\n Service has adequate controls over its hardware maintenance contracts and is actively mitigating\n contract fraud risk. This review addresses the major management challenge of Achieving\n Program Efficiencies and Costs Savings and is included in TIGTA\xe2\x80\x99s Fiscal Year 2013 Annual\n Audit Plan.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                           Increased Oversight of Information Technology Hardware\n                            Maintenance Contracts Is Necessary to Ensure Against\n                                      Paying for Unnecessary Services\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Some Deficiencies Were Identified in the\n          Administration of Selected Information\n          Technology Hardware Maintenance Contracts. ............................................ Page 4\n                    Recommendations 1 and 2: ................................................ Page 6\n\n          Asset Data for Selected Maintenance\n          Contracts Were Inaccurate and Incomplete. ................................................. Page 7\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 8\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 10\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 11\n          Appendix IV \xe2\x80\x93 Glossary of Terms ................................................................ Page 12\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 13\n\x0c        Increased Oversight of Information Technology Hardware\n         Maintenance Contracts Is Necessary to Ensure Against\n                   Paying for Unnecessary Services\n\n\n\n\n                    Abbreviations\n\nCO            Contracting Officer\nCOR           Contracting Officer\xe2\x80\x99s Representative\nIRS           Internal Revenue Service\nIT            Information Technology\nTIGTA         Treasury Inspector General for Tax Administration\nTPOC          Technical Point of Contact\n\x0c                    Increased Oversight of Information Technology Hardware\n                     Maintenance Contracts Is Necessary to Ensure Against\n                               Paying for Unnecessary Services\n\n\n\n\n                                      Background\n\nThe Internal Revenue Service (IRS) Information Technology (IT) organization delivers\ninformation technology services and solutions that drive effective tax administration to ensure\npublic confidence. Its goals include improving service, delivering modernization, increasing\nvalue, and assuring the security and resilience of IRS information systems and data. The IRS IT\norganization consists of nine different functional areas, e.g., User and Network Services,\nCybersecurity, and Applications Development and works closely with each operating division\nand functional area to deliver quality, world-class information technology support, services, and\nsolutions.\nAs part of its annual budget, the IRS includes funding for infrastructure costs, such as hardware\nmaintenance. The IRS spent about $39.8 million on hardware maintenance during Fiscal\nYear 2009. The amount increased to $44.9 million in Fiscal Year 2010 and remained relatively\nsteady at $44.1 million in Fiscal Year 2011. In Fiscal Year 2012, the IRS spent $47.8 million on\nhardware maintenance.\nThere are generally two scenarios that occur within the IRS when purchasing maintenance for its\ninformation technology hardware assets. First, when most hardware assets, e.g., laptops,\ndesktops, and servers are purchased, those assets come with a manufacturer\xe2\x80\x99s warranty to cover\nreplacement and repairs. In this scenario, the IRS will usually wait until the warranty coverage\nnears expiration before it purchases maintenance if needed for those assets. Second, when the\nIRS purchases information technology hardware assets that support critical infrastructure\nprojects, e.g., loggers to monitor Internet and e-mail traffic, it will often immediately purchase\nupgraded maintenance coverage to ensure that the asset can be promptly serviced or replaced\nwithout causing a significant disruption to ongoing operations.\nManagement of the IRS information technology environment is organized into four tier levels:\nTier 1 (supercomputers and mainframes), Tier 2 (minicomputers), Tier 3 (microcomputers), and\nTier 4 (data and voice telecommunications). Before a requisition for hardware services,\ni.e., maintenance, is forwarded to the Office of Procurement for processing, it will undergo\nvarious levels of management and technical review within the IT organization. First, it\nundergoes review by one of the four tier levels depending on the type of good/service being\nacquired. For example, if the IRS needs to purchase hardware maintenance for laptops or\ndesktops, the requisition would need approval by Tier III (microcomputers). After tier review,\nthe requisition is routed to the User and Network Services organization\xe2\x80\x99s Asset Management\ngroup to research and ensure that the assets associated with the requisition are tracked in the\ninventory system. According to personnel from the User and Network Services organization,\ncontract information, e.g., contract number, coverage dates, and applicable vendor information is\nadded to the inventory system\xe2\x80\x99s Vendor Contract Module to help with associating information\n\n                                                                                           Page 1\n\x0c                    Increased Oversight of Information Technology Hardware\n                     Maintenance Contracts Is Necessary to Ensure Against\n                               Paying for Unnecessary Services\n\n\n\ntechnology hardware assets with their maintenance contract. The process to create the linkage\nand validate the information is manual and requires that the Asset Management team be provided\nidentifying data for the impacted information technology hardware assets.\nWhen the IRS awards a contract, the acquisition team is responsible for the various aspects of the\ncontract administration. This team consists of a Contracting Officer (CO), Contracting Officer\xe2\x80\x99s\nRepresentative (COR), and Technical Point of Contact (TPOC). The responsibilities of the\nacquisition team are as follows:\n   \xef\x82\xb7   Contracting Officer \xe2\x80\x93 has the authority to enter into, administer, and/or terminate\n       contracts. COs are responsible for ensuring performance of all necessary actions for\n       effective contracting, for ensuring compliance with the terms of the contract, and for\n       safeguarding the interests of the Government in its contractual relationships. The CO is\n       the only person authorized to issue a contract modification or task order change.\n   \xef\x82\xb7   Contracting Officer\xe2\x80\x99s Representative \xe2\x80\x93 designated by the CO to perform certain\n       administrative tasks related to a specific contract. The primary role of the COR is to\n       monitor the contractor\xe2\x80\x99s performance, ensure that the contractor delivers what is called\n       for in the contract, and serve as the technical liaison between the contractor and the CO.\n       Most CORs are not co-located with the TPOCs at the various sites and do not work\n       directly with the assets or contractors. Therefore, the COR relies on the TPOC for the\n       assurance of delivered goods or rendered services.\n   \xef\x82\xb7   Technical Point of Contact \xe2\x80\x93 responsible for providing technical assistance, input and\n       direction to the CO and COR throughout the life cycle of the contract. Regarding\n       information technology hardware maintenance contracts, the TPOC facilitates the process\n       of confirming contractor services were performed prior to notifying the COR to pay the\n       invoice. The TPOC also ensures that asset records are accurate.\nThe IRS IT organization\xe2\x80\x99s Vendor and Contract Management office was created to help\nmaximize the value of information technology investments by implementing effective sourcing\nstrategies, monitoring vendor performance and contract management, and facilitating strong\nacquisition governance processes. This office consists of a director and 13 staff divided among\nthree different groups. The Program Management group specifically has responsibility for\nconducting research and analyses on the information technology contract portfolio and\nevaluating contract management processes to identify opportunities for cost savings. Due to\nlimited staffing, the Vendor and Contract Management office reviews all requisitions where the\ncontract will total $5 million or more.\nThis review was performed at the offices of the IRS IT organization\xe2\x80\x99s Cybersecurity, Enterprise\nOperations, and Strategy and Planning organizations located in Lanham, Maryland, and the\nAgency-Wide Shared Service\xe2\x80\x99s Office of Procurement located in Oxon Hill, Maryland, during\nthe period of April 2012 through May 2013. We conducted this performance audit in accordance\nwith generally accepted government auditing standards. Those standards require that we plan\n                                                                                            Page 2\n\x0c                    Increased Oversight of Information Technology Hardware\n                     Maintenance Contracts Is Necessary to Ensure Against\n                               Paying for Unnecessary Services\n\n\n\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                            Page 3\n\x0c                        Increased Oversight of Information Technology Hardware\n                         Maintenance Contracts Is Necessary to Ensure Against\n                                   Paying for Unnecessary Services\n\n\n\n\n                                       Results of Review\n\nSome Deficiencies Were Identified in the Administration of Selected\nInformation Technology Hardware Maintenance Contracts\nOur review identified several weaknesses in the oversight of selected information technology\nhardware maintenance contracts. We judgmentally selected seven maintenance contracts for\nreview,1 interviewed members from the acquisition team for each contract to determine their\nroles and responsibilities, and reviewed the contract file documentation. During our review, we\nfound instances where contracting personnel were not always effectively monitoring contracts\nand issuing a contract modification when necessary. For example, in one of the contracts\nreviewed, we identified 10 assets that were retired (June 2012) prior to the end of the contract\nperiod (January 2013). This contract provided maintenance for the 64 hardware components,\ne.g., switches, located in the Development, Integration and Test Environment.2 The contract,\ntotaling $80,310, was awarded in January 2012 and expired January 2013. In the contract\ndocuments reviewed, we did not find any evidence where a modification was submitted to\nremove these assets from the contract. However, the IRS was still being billed the same monthly\nmaintenance amount ($6,692) even though the 10 assets had been retired. The TPOC for this\ncontract advised that the usual process is to review and reconcile the assets associated with the\ncontract prior to the contract\xe2\x80\x99s annual renewal.\nIn another contract we reviewed, we identified an outdated information technology asset list that\nwas being used to manage the contract and pay the vendor. This particular contract provided\nmaintenance for storage devices that required coverage since the original manufacturer\xe2\x80\x99s\nwarranty coverage elapsed. When the contract was originally awarded in December 2009, it\ncovered 54 storage devices with an average annual hardware maintenance cost of about\n$2.5 million.3 The current list, dated April 1, 2013, showed 32 storage devices requiring\nmaintenance. The decrease in the number of storage devices is due to the retirement of those\nhardware assets or the migration to a separate storage contract as part of IRS\xe2\x80\x99s efforts to\nconsolidate and share storage across the IRS.\nThe current TPOC for the storage contract we reviewed was assigned in November 2012. Since\nthen, the TPOC worked closely with the vendor to reconcile and correct the old asset inventory\nlist and provided that to the COR. Even after doing the reconciliation, another incorrect list,\nrepresenting the storage devices that should receive coverage during the final period of this\n\n1\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n2\n  See Appendix IV for a glossary of terms.\n3\n  The contract included six-month option/renewal periods to provide flexibility to reduce the contract.\n                                                                                                              Page 4\n\x0c                    Increased Oversight of Information Technology Hardware\n                     Maintenance Contracts Is Necessary to Ensure Against\n                               Paying for Unnecessary Services\n\n\n\ncontract, was presented to the TPOC to assist with performing receipt and acceptance. It is not\nclear from the documentation provided how this occurred. It may have been caused by a lack of\noversight and coordination among responsible parties.\nFurther, this same contract stipulated 34 different performance standards along with associated\ndeliverables, i.e., the documents used to monitor the standards. The performance standards\nincluded tasks such as providing 24/7 availability to communicate with the IRS on critical errors,\nkeeping the system in working order, and delivering an inventory. When we inquired about the\nperformance standard that requires the contractor to provide a list of assets, the acquisition team\nstated it had not received this report since being assigned oversight responsibilities for this\ncontract and that very few of the electronic documents associated with this contract were\nprovided to them by the prior acquisition team. The current TPOC also advised that these\nreports are no longer necessary since the IRS can input its maintenance requests directly into the\nvendor\xe2\x80\x99s helpdesk system for tracking/monitoring purposes. If the acquisition team deems that\nseveral of the performance standards no longer apply, then it should proceed with submitting a\nmodification to remove these requirements and negotiate a new contract cost from the vendor.\nThe COR has responsibility for the day-to-day oversight of the contract and the responsibilities\nare documented in a letter of appointment. The responsibilities include:\n   \xef\x82\xb7   Assuring that changes in work or services are included in the contract through a written\n       modification issued by the CO.\n   \xef\x82\xb7   Monitoring the contractor\xe2\x80\x99s performance of the contract\xe2\x80\x99s technical requirements to\n       assure that performance is strictly within the scope of the contract.\nFurther, Federal Acquisition Regulation sections 52.243-1 \xe2\x80\x93 52.243-7 authorize the CO to make\nchanges within the general scope of a contract when changes cause an increase or decrease in the\ncost or when property is obsolete or excessed. These changes must be done through a written\ncontract modification issued by the CO. In addition, the Federal Acquisition Regulation requires\na contract modification to be executed before a work scope change is implemented, if\npracticable. These actions can only be taken if there is ongoing coordination between the TPOC\nand COR regarding changes to the information technology hardware assets, i.e., asset retirement.\nThis ongoing communication assists the COR with fulfilling his/her responsibility to notify the\nCO to modify the contract.\nAs a result of this lack of proper coordination and oversight, the IRS paid for services it did not\nneed or did not receive. The IRS also did not receive contract deliverables in accordance with\nthe contract\xe2\x80\x99s requirements or submit written modifications when necessary to update an existing\ncontract. These scenarios could potentially cause the IRS to unnecessarily pay for maintenance\non assets that have been retired and no longer need this service. When contracts are not properly\nadministered, the IRS may not receive the desired outcome or the best return on its investment.\n\n\n\n                                                                                            Page 5\n\x0c                      Increased Oversight of Information Technology Hardware\n                       Maintenance Contracts Is Necessary to Ensure Against\n                                 Paying for Unnecessary Services\n\n\n\nThe Treasury Inspector General for Tax Administration (TIGTA) previously reported similar\ndeficiencies in its review of another contract.4\nWe did not identify any potential fraudulent activity among the contracts reviewed. We\nconducted interviews of the contracting personnel to ensure that procedures were in place to\nmitigate fraud risk. Many individuals interviewed confirmed they would contact their managers,\nthe CO, or the TIGTA\xe2\x80\x99s Office of Investigation if they suspected any fraudulent activity.\nFurther, an internal website used by contracting personnel provides information on where to\nreport suspected fraudulent activity. We also performed tests to determine if any of the selected\nvendors were involved in any legal proceedings.\nManagement Action: IRS management agreed that there was a gap in the understanding and\nmanagement of the storage contract selected in our review due to COR attrition. The IRS has\ntaken steps to mitigate these issues over the last two months. The CO has been made aware of\nthe TPOC\xe2\x80\x99s work to reconcile the hardware list with the vendor and will be contacting the\nvendor for the required documentation supporting a reduction in costs. The COR is also\nreviewing the current performance standards to identify non-applicable performance standards to\nbe removed.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 1: Ensure that the CORs provide the CO notification to timely process a\ncontract modification, if appropriate, when information technology assets are retired or removed\nfrom service, or changes to performance requirements are made. Additionally, the CORs should\nmake any necessary adjustments with respect to receipt and acceptance.\n        Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The IRS will\n        communicate and emphasize expectations with IT organizations so that managers can\n        take appropriate action to ensure that hardware maintenance contracts are administered\n        and acquisition duties are performed in accordance with existing IRS policy.\nRecommendation 2: Ensure that the CORs work closely with the TPOCs to periodically\nreconcile assets associated with hardware maintenance contracts to the vendor\xe2\x80\x99s independent\nrecords and provide necessary updates about the assets to User and Network Services Asset\nManagement personnel.\n        Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The IRS will\n        communicate and emphasize expectations with IT organizations so that managers can\n        take appropriate action to ensure that acquisition staff effectively coordinate in\n\n4\n  TIGTA, Ref. No. 2012-10-075, An Independent Risk Assessment of Facility Physical Security Was Not Performed\nin Compliance With Contract Requirements (Jul. 2012).\n                                                                                                      Page 6\n\x0c                     Increased Oversight of Information Technology Hardware\n                      Maintenance Contracts Is Necessary to Ensure Against\n                                Paying for Unnecessary Services\n\n\n\n        reconciling and providing updates about assets associated with hardware maintenance\n        contracts in accordance with existing IRS policy.\n\nAsset Data for Selected Maintenance Contracts Were Inaccurate and\nIncomplete\nA recent TIGTA review5 of the IRS IT organization\xe2\x80\x99s asset inventory system identified several\ndeficiencies in the internal controls designed to ensure accurate and complete inventory records.\nWe also identified incomplete or inaccurate asset data in three of the seven information\ntechnology hardware maintenance contracts reviewed.\n    \xef\x82\xb7   In two contracts reviewed, the IRS purchased a total of 25 information technology assets\n        and upgraded the maintenance coverage for these assets. However, none of the 25 assets\n        were recorded in the information technology asset inventory management system.\n        Subsequent to our bringing this to the attention of the acquisition teams, documentation\n        was provided to illustrate that the information technology assets were added in the\n        inventory system. All IRS owned or leased information technology equipment must be\n        added into the inventory system and updates to asset data must be completed within\n        10 days.\n    \xef\x82\xb7   In another contract reviewed, we compared the asset listing to the information technology\n        asset inventory system and identified four retired assets. The IRS provided the disposal\n        documentation for these four retired assets showing that these assets were \xe2\x80\x9cwritten off\xe2\x80\x9d\n        because they could not be located during the inventory. However, as a result of our\n        subsequent inquiries, the IRS confirmed that the assets existed and took steps to correct\n        the information technology asset inventory management system by placing the assets into\n        an \xe2\x80\x9cin use\xe2\x80\x9d status.\nThese data discrepancies occurred because the internal controls for proper asset management\nneed to be strengthened and due to a lack of available resources to monitor and oversee the\ninventory. The discrepancies identified in this review further underscore the need to periodically\nreconcile the assets associated with hardware maintenance and ensure that the IRS accounts for\nall of its assets and only pays for maintenance coverage on those assets that are still in service.\nFurther, it is equally important that the various users of the information technology asset\ninventory management system data have confidence in and can rely on the data maintained\nwithin the system. TIGTA\xe2\x80\x99s current review6 provided the IRS with several recommendations for\nimproving internal controls and overall reliability of the data.\n\n\n5\n  TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets\nVulnerable to Loss (Sept. 2013).\n6\n  TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets\nVulnerable to Loss, pp. 7, 11, and 15 (Sept. 2013).\n                                                                                                    Page 7\n\x0c                          Increased Oversight of Information Technology Hardware\n                           Maintenance Contracts Is Necessary to Ensure Against\n                                     Paying for Unnecessary Services\n\n\n\n                                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has adequate controls over\nits hardware maintenance contracts and is actively mitigating contract fraud risk. To achieve our\nobjective, we:\nI.         Determined whether IRS personnel have adequate controls in place to prevent payment\n           for maintenance services for assets covered by warranty or that have been disposed.\n           A. Identified the universe of 208 hardware maintenance contracts awarded during Fiscal\n              Years 2009 through 2012. We judgmentally1 selected seven contracts to review\n              based on the following monetary criteria: two contracts, each worth more than\n              $5 million; two contracts worth between $700,000 and $4 million; and three contracts\n              each worth less than $700,000. One of the contracts we reviewed was a closed\n              contract. We used judgmental sampling because we did not intend to project our\n              results to the contract universe. Further, the scope of our review was limited due to\n              an ongoing TIGTA investigation.\n           B. Reviewed all contract documentation such as the Statement of Work2 (also called a\n              Performance Work Statement), invoices, modification, and asset listing of each\n              sampled contract to identify the contractor\xe2\x80\x99s requirements for providing maintenance.\n           C. Compared a copy of the asset listing associated with the maintenance contract with\n              the data recorded in the asset inventory system to obtain the current status of the\n              assets. In order to assess the reliability of the inventory data, data were reviewed for\n              reasonableness. We reviewed the assets associated with our selected contracts to\n              verify their accuracy in the inventory system and identified several with incorrect\n              statuses. However, we found the data to be reliable for the limited purposes of this\n              audit and performed no other validity tests.\n           D. For the sampled contracts, we interviewed the CO, COR, and TPOC to determine\n              their roles and responsibilities in providing oversight for the selected contracts and\n              their awareness of fraud.\nII.        Assessed actions taken by the IT organization to enhance vendor, contract, and asset\n           management activities.\n\n\n\n1\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n2\n    See Appendix IV for a glossary of terms.\n                                                                                                                Page 8\n\x0c                   Increased Oversight of Information Technology Hardware\n                    Maintenance Contracts Is Necessary to Ensure Against\n                              Paying for Unnecessary Services\n\n\n\nIII.   Interviewed individuals involved with overseeing maintenance contracts to determine\n       their awareness in detecting and reporting potential fraud.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Federal Acquisition Regulations, IRS\nprocurement policies and procedures, and the User and Network Services organization\xe2\x80\x99s policies\nand procedures relating to information technology asset management. We evaluated these\ncontrols by interviewing acquisition team members and User and Network Services organization\npersonnel and reviewing relevant contract documentation.\n\n\n\n\n                                                                                          Page 9\n\x0c                   Increased Oversight of Information Technology Hardware\n                    Maintenance Contracts Is Necessary to Ensure Against\n                              Paying for Unnecessary Services\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nDiana Tengesdal, Audit Manager\nAnthony Morrison, Program Analyst\nSarah Shelton, Program Analyst\nLinda Nethery, Information Technology Specialist\n\n\n\n\n                                                                                     Page 10\n\x0c                 Increased Oversight of Information Technology Hardware\n                  Maintenance Contracts Is Necessary to Ensure Against\n                            Paying for Unnecessary Services\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nChief, Agency-Wide Shared Services OS:A\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Procurement OS:A:P\nDirector, Vendor Contract Management OS:CTO:SP:VCM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 11\n\x0c                    Increased Oversight of Information Technology Hardware\n                     Maintenance Contracts Is Necessary to Ensure Against\n                               Paying for Unnecessary Services\n\n\n\n                                                                                 Appendix IV\n\n                                Glossary of Terms\n\nTerm                             Definition\n24/7                             The contractor maintains a helpdesk function staffed 24 hours\n                                 a day, seven days a week to communicate with the IRS on\n                                 critical errors.\nDelivery Order                   An order for supplies placed against an established contract or\n                                 with Government sources.\nDevelopment, Integration, and    Provides a standardized modernized development, integration,\nTest Environment                 and test environment and the associated tools and processes\n                                 needed to ensure the successful production deployment of IRS\n                                 modernization projects.\nInvoice                          A contractor\xe2\x80\x99s bill or written request for payment under the\n                                 contract for supplies delivered or services performed.\nModification                     Any formal change to the terms and conditions of a contract,\n                                 delivery order, or task order, either within or outside the scope\n                                 of the original agreement.\nOption                           A unilateral right in a contract by which, for a specified time,\n                                 the Government may elect to purchase additional supplies or\n                                 services called for by the contract, or may elect to extend the\n                                 term of the contract.\nReceipt and Acceptance           The point at which the Government accepts ownership of\n                                 specifically identified supplies or approves the performance of\n                                 specific services.\nStatement of Work                Documents the work to be performed by the contractor, the\n                                 period of performance, performance standards, and special\n                                 requirements.\nSwitch                           A small hardware device that joins multiple computers\n                                 together with one local area network.\nTask Order                       An order for services placed against an established contract or\n                                 with Government sources.\n\n\n                                                                                          Page 12\n\x0c     Increased Oversight of Information Technology Hardware\n      Maintenance Contracts Is Necessary to Ensure Against\n                Paying for Unnecessary Services\n\n\n\n                                                   Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 13\n\x0cIncreased Oversight of Information Technology Hardware\n Maintenance Contracts Is Necessary to Ensure Against\n           Paying for Unnecessary Services\n\n\n\n\n                                                    Page 14\n\x0c'